bd564910525c66d85064008b1b0bd83d0098de2fc3dc61d2ffa49e04195ed842

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
Size

48KB
MD5

bd5b9329dce9d28b3ef8aba91494d54e
SHA1

9f3838987cf3636cb555d927829a77da660b9e18
SHA256

bd564910525c66d85064008b1b0bd83d0098de2fc3dc61d2ffa49e04195ed842
SHA512

75d28683402913fa65bd149aba35124a79fbc091450e05b8d03906c29862702a0363f1c42d410f80e5f5a866542ce63ce16a8631a4fe4bd60ef4e1661ee21a57
SSDEEP

768:dbZf4IlYHLIaHR2dXvq50wh5E9g7uUh7986dOXpRo7t845kFEntNOY:dlf4pXHiX+0whSgThZeXpX+ntkY

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe

Executes dropped EXE 64 IoCs

pid	Process
2916	dwdsregt.exe
2796	dwdsregt.exe
3004	dwdsregt.exe
2660	dwdsregt.exe
2632	dwdsregt.exe
1920	dwdsregt.exe
2188	dwdsregt.exe
2388	dwdsregt.exe
1712	dwdsregt.exe
2952	dwdsregt.exe
1620	dwdsregt.exe
1320	dwdsregt.exe
332	dwdsregt.exe
3016	dwdsregt.exe
2192	dwdsregt.exe
1500	dwdsregt.exe
1852	dwdsregt.exe
1740	dwdsregt.exe
1572	dwdsregt.exe
1272	dwdsregt.exe
800	dwdsregt.exe
2524	dwdsregt.exe
2584	dwdsregt.exe
2408	dwdsregt.exe
3068	dwdsregt.exe
1032	dwdsregt.exe
2088	dwdsregt.exe
876	dwdsregt.exe
2436	dwdsregt.exe
1000	dwdsregt.exe
2236	dwdsregt.exe
2868	dwdsregt.exe
2764	dwdsregt.exe
2796	dwdsregt.exe
2816	dwdsregt.exe
1192	dwdsregt.exe
2652	dwdsregt.exe
2124	dwdsregt.exe
2620	dwdsregt.exe
2376	dwdsregt.exe
2320	dwdsregt.exe
2960	dwdsregt.exe
840	dwdsregt.exe
1760	dwdsregt.exe
1840	dwdsregt.exe
1372	dwdsregt.exe
2968	dwdsregt.exe
1092	dwdsregt.exe
1564	dwdsregt.exe
916	dwdsregt.exe
2092	dwdsregt.exe
2192	dwdsregt.exe
1500	dwdsregt.exe
1852	dwdsregt.exe
808	dwdsregt.exe
2056	dwdsregt.exe
940	dwdsregt.exe
776	dwdsregt.exe
2720	dwdsregt.exe
1632	dwdsregt.exe
2596	dwdsregt.exe
3068	dwdsregt.exe
1032	dwdsregt.exe
2292	dwdsregt.exe

Loads dropped DLL 64 IoCs

pid	Process
1916	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
1916	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
2916	dwdsregt.exe
2916	dwdsregt.exe
2796	dwdsregt.exe
2796	dwdsregt.exe
3004	dwdsregt.exe
3004	dwdsregt.exe
2660	dwdsregt.exe
2660	dwdsregt.exe
2632	dwdsregt.exe
2632	dwdsregt.exe
1920	dwdsregt.exe
1920	dwdsregt.exe
2188	dwdsregt.exe
2188	dwdsregt.exe
2388	dwdsregt.exe
2388	dwdsregt.exe
1712	dwdsregt.exe
1712	dwdsregt.exe
2952	dwdsregt.exe
2952	dwdsregt.exe
1620	dwdsregt.exe
1620	dwdsregt.exe
1320	dwdsregt.exe
1320	dwdsregt.exe
332	dwdsregt.exe
332	dwdsregt.exe
3016	dwdsregt.exe
3016	dwdsregt.exe
2192	dwdsregt.exe
2192	dwdsregt.exe
1500	dwdsregt.exe
1500	dwdsregt.exe
1852	dwdsregt.exe
1852	dwdsregt.exe
1740	dwdsregt.exe
1740	dwdsregt.exe
1572	dwdsregt.exe
1572	dwdsregt.exe
1272	dwdsregt.exe
1272	dwdsregt.exe
800	dwdsregt.exe
800	dwdsregt.exe
2524	dwdsregt.exe
2524	dwdsregt.exe
2584	dwdsregt.exe
2584	dwdsregt.exe
2408	dwdsregt.exe
2408	dwdsregt.exe
3068	dwdsregt.exe
3068	dwdsregt.exe
1032	dwdsregt.exe
1032	dwdsregt.exe
2088	dwdsregt.exe
2088	dwdsregt.exe
876	dwdsregt.exe
876	dwdsregt.exe
2436	dwdsregt.exe
2436	dwdsregt.exe
1000	dwdsregt.exe
1000	dwdsregt.exe
2236	dwdsregt.exe
2236	dwdsregt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dwdsregt.exe	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1916	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
2916	dwdsregt.exe
2796	dwdsregt.exe
3004	dwdsregt.exe
2660	dwdsregt.exe
2632	dwdsregt.exe
1920	dwdsregt.exe
2188	dwdsregt.exe
2388	dwdsregt.exe
1712	dwdsregt.exe
2952	dwdsregt.exe
1620	dwdsregt.exe
1320	dwdsregt.exe
332	dwdsregt.exe
3016	dwdsregt.exe
2192	dwdsregt.exe
1500	dwdsregt.exe
1852	dwdsregt.exe
1740	dwdsregt.exe
1572	dwdsregt.exe
1272	dwdsregt.exe
800	dwdsregt.exe
2524	dwdsregt.exe
2584	dwdsregt.exe
2408	dwdsregt.exe
3068	dwdsregt.exe
1032	dwdsregt.exe
2088	dwdsregt.exe
876	dwdsregt.exe
2436	dwdsregt.exe
1000	dwdsregt.exe
2236	dwdsregt.exe
2868	dwdsregt.exe
2764	dwdsregt.exe
2796	dwdsregt.exe
2816	dwdsregt.exe
1192	dwdsregt.exe
2652	dwdsregt.exe
2124	dwdsregt.exe
2620	dwdsregt.exe
2376	dwdsregt.exe
2320	dwdsregt.exe
2960	dwdsregt.exe
840	dwdsregt.exe
1760	dwdsregt.exe
1840	dwdsregt.exe
1372	dwdsregt.exe
2968	dwdsregt.exe
1092	dwdsregt.exe
1564	dwdsregt.exe
916	dwdsregt.exe
2092	dwdsregt.exe
2192	dwdsregt.exe
1500	dwdsregt.exe
1852	dwdsregt.exe
808	dwdsregt.exe
2056	dwdsregt.exe
940	dwdsregt.exe
776	dwdsregt.exe
2720	dwdsregt.exe
1632	dwdsregt.exe
2596	dwdsregt.exe
3068	dwdsregt.exe
1032	dwdsregt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2916	1916	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2916	1916	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2916	1916	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2916	1916	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2796	2916	dwdsregt.exe	31
PID 2916 wrote to memory of 2796	2916	dwdsregt.exe	31
PID 2916 wrote to memory of 2796	2916	dwdsregt.exe	31
PID 2916 wrote to memory of 2796	2916	dwdsregt.exe	31
PID 2796 wrote to memory of 3004	2796	dwdsregt.exe	32
PID 2796 wrote to memory of 3004	2796	dwdsregt.exe	32
PID 2796 wrote to memory of 3004	2796	dwdsregt.exe	32
PID 2796 wrote to memory of 3004	2796	dwdsregt.exe	32
PID 3004 wrote to memory of 2660	3004	dwdsregt.exe	33
PID 3004 wrote to memory of 2660	3004	dwdsregt.exe	33
PID 3004 wrote to memory of 2660	3004	dwdsregt.exe	33
PID 3004 wrote to memory of 2660	3004	dwdsregt.exe	33
PID 2660 wrote to memory of 2632	2660	dwdsregt.exe	34
PID 2660 wrote to memory of 2632	2660	dwdsregt.exe	34
PID 2660 wrote to memory of 2632	2660	dwdsregt.exe	34
PID 2660 wrote to memory of 2632	2660	dwdsregt.exe	34
PID 2632 wrote to memory of 1920	2632	dwdsregt.exe	35
PID 2632 wrote to memory of 1920	2632	dwdsregt.exe	35
PID 2632 wrote to memory of 1920	2632	dwdsregt.exe	35
PID 2632 wrote to memory of 1920	2632	dwdsregt.exe	35
PID 1920 wrote to memory of 2188	1920	dwdsregt.exe	36
PID 1920 wrote to memory of 2188	1920	dwdsregt.exe	36
PID 1920 wrote to memory of 2188	1920	dwdsregt.exe	36
PID 1920 wrote to memory of 2188	1920	dwdsregt.exe	36
PID 2188 wrote to memory of 2388	2188	dwdsregt.exe	37
PID 2188 wrote to memory of 2388	2188	dwdsregt.exe	37
PID 2188 wrote to memory of 2388	2188	dwdsregt.exe	37
PID 2188 wrote to memory of 2388	2188	dwdsregt.exe	37
PID 2388 wrote to memory of 1712	2388	dwdsregt.exe	38
PID 2388 wrote to memory of 1712	2388	dwdsregt.exe	38
PID 2388 wrote to memory of 1712	2388	dwdsregt.exe	38
PID 2388 wrote to memory of 1712	2388	dwdsregt.exe	38
PID 1712 wrote to memory of 2952	1712	dwdsregt.exe	39
PID 1712 wrote to memory of 2952	1712	dwdsregt.exe	39
PID 1712 wrote to memory of 2952	1712	dwdsregt.exe	39
PID 1712 wrote to memory of 2952	1712	dwdsregt.exe	39
PID 2952 wrote to memory of 1620	2952	dwdsregt.exe	40
PID 2952 wrote to memory of 1620	2952	dwdsregt.exe	40
PID 2952 wrote to memory of 1620	2952	dwdsregt.exe	40
PID 2952 wrote to memory of 1620	2952	dwdsregt.exe	40
PID 1620 wrote to memory of 1320	1620	dwdsregt.exe	41
PID 1620 wrote to memory of 1320	1620	dwdsregt.exe	41
PID 1620 wrote to memory of 1320	1620	dwdsregt.exe	41
PID 1620 wrote to memory of 1320	1620	dwdsregt.exe	41
PID 1320 wrote to memory of 332	1320	dwdsregt.exe	42
PID 1320 wrote to memory of 332	1320	dwdsregt.exe	42
PID 1320 wrote to memory of 332	1320	dwdsregt.exe	42
PID 1320 wrote to memory of 332	1320	dwdsregt.exe	42
PID 332 wrote to memory of 3016	332	dwdsregt.exe	43
PID 332 wrote to memory of 3016	332	dwdsregt.exe	43
PID 332 wrote to memory of 3016	332	dwdsregt.exe	43
PID 332 wrote to memory of 3016	332	dwdsregt.exe	43
PID 3016 wrote to memory of 2192	3016	dwdsregt.exe	44
PID 3016 wrote to memory of 2192	3016	dwdsregt.exe	44
PID 3016 wrote to memory of 2192	3016	dwdsregt.exe	44
PID 3016 wrote to memory of 2192	3016	dwdsregt.exe	44
PID 2192 wrote to memory of 1500	2192	dwdsregt.exe	45
PID 2192 wrote to memory of 1500	2192	dwdsregt.exe	45
PID 2192 wrote to memory of 1500	2192	dwdsregt.exe	45
PID 2192 wrote to memory of 1500	2192	dwdsregt.exe	45

C:\Users\Admin\AppData\Local\Temp\bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- \??\c:\windows\SysWOW64\dwdsregt.exe
  c:\windows\system32\dwdsregt.exe ELT001
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - \??\c:\windows\SysWOW64\dwdsregt.exe
    c:\windows\system32\dwdsregt.exe ELT001
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - \??\c:\windows\SysWOW64\dwdsregt.exe
      c:\windows\system32\dwdsregt.exe ELT001
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3004
    - - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        10⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        11⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        17⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        18⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        21⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        23⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        24⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        25⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        26⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        28⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        29⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        31⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        35⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        36⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        37⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        40⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        41⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        43⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        46⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        47⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        50⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        51⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        53⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        55⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:808
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        59⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        60⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        63⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        64⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        65⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2292
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        67⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2436
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        68⤵
        
        PID:2732
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        69⤵
        Drops startup file
        
        PID:2236
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        70⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2892
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        72⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        73⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        74⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2668
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        75⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        76⤵
        
        PID:2352
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        78⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2384
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        79⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        80⤵
        
        PID:2980
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        84⤵
        
        PID:1372
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        85⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1020
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        86⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        87⤵
        
        PID:1564
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        88⤵
        Drops file in System32 directory
        
        PID:2108
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        90⤵
        Drops file in System32 directory
        
        PID:2092
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        91⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        93⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:108
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        94⤵
        
        PID:2552
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        97⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        98⤵
        
        PID:1616
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        100⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        101⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1516
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        102⤵
        
        PID:2132
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        103⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        106⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2784
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        107⤵
        
        PID:2852
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        108⤵
        
        PID:1344
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        109⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        110⤵
        
        PID:2672
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        111⤵
        Drops file in System32 directory
        
        PID:2776
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        112⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2716
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        113⤵
        
        PID:2760
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        114⤵
        Drops startup file
        
        PID:2124
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        115⤵
        Drops file in System32 directory
        
        PID:2060
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        116⤵
        Drops file in System32 directory
        
        PID:1724
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        117⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2928
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        118⤵
        
        PID:2960
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        121⤵
        Drops startup file
        
        PID:2932
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        122⤵
        Drops startup file
        
        PID:2976
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        123⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:572
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        124⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:920
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        125⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        127⤵
        Drops file in System32 directory
        
        PID:2364
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        128⤵
        Drops startup file
        
        PID:1240
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        129⤵
        Drops startup file
        
        PID:1736
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
920B

MD5
4336f2ef2bcb135f81efc5b857f0187b

SHA1
7a640f9194db929971488eaaae876147ecbab337

SHA256
083573fd2354b87ec0fcf54a0d881edfffd9c62fee98d0ad1f81f66d421c0d6f

SHA512
08875edb3a76db428f3497c6167685ce687328dd8d9274520428ea634b9a6914f406f164ac9372291d1e7355e3c6bda88a4003b85821dddd3a8f749de35d166d

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
28B

MD5
86df414e635e6c22c3898390e616ce37

SHA1
051f5fe21d7f3505a7e6fea1ccb9a50dbb276180

SHA256
b8b3c5f83231c277da334b1ebe828e8568da57079d5b62ddfd902aca18c11e4b

SHA512
05ed903b23b88a2040dc72ed1adb1f899b6a7dbac7be91f3639aaae734ad6565d832cd550c0eb92a021b977e43d76700117a5e3ccf6151bfddc3d3077c5c8a63

Download Submit
\Windows\SysWOW64\dwdsregt.exe

Filesize
48KB

MD5
8051809c81512cc8b56d488a55b7c9f3

SHA1
256b11fa7a0ff3e5db9638f11a1d6fc4b7cff468

SHA256
f5f278e18e077011f4e83ec721b5984d2676ad9325fd63a9ab9c8f47da437dfc

SHA512
de5fc90aa8fd91b8be7a1ae178df457506625102d39f64f0e093094d97fbfea1d5d1625357544b9f686e3ee1fb33ca07e27500d263323518171d1efd574c06ce

Download Submit